[nsp-sec] Conficker Data Timestamp Anomaly

[Tim Wilde]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings Everyone,

It has come to our attention that one of our sources of Conficker data
in the Daily Reports "bots" category, which was just brought online late
last week, appears to have a ~10 minute offset in its timestamps.
Unfortunately, there is no simple way to distinguish the data with
incorrect timestamps in the reports that have been sent out.  If you
encounter entries in the "bots" category with a "mwtype Conficker"
indication that do not appear to match real traffic, the timestamps may
be approximately 10 minutes behind the actual UTC time of the event.
That is, if the timestamp indicated 19:13:42, the actual event may have
been closer to 19:23 UTC.  We do not yet know the precise amount of the
offset, so I apologize that we cannot be more specific.

Again, this affects only some of the Conficker reports in the bots
category, and only beginning with reports sent 2009-03-07 through today,
bur unfortunately we cannot provide differentiating characteristics for
this data.  We have suspended imports of this data source until we can
get this timestamp issue corrected, and we sincerely apologize for the
inconvenience.  We are also removing data that had already been imported
from this source for sending tomorrow, so you should not see any of this
data with incorrect timestamps after today.

Regards,
Tim Wilde

- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-312-924-4033 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJtUaIluRbRini9tgRAvWVAKCE8pAklMYrv6XNk5GAONEykSqTHACfWcof
WLOJQO575qBmI0Gjm6WmCIc=
=pf/5
-----END PGP SIGNATURE-----